untitled
ALARM: Anonymous Location-AidedRouting in Suspicious MANETsKarim
El Defrawy, Member, IEEE, and Gene Tsudik, Senior Member,
IEEEAbstractIn most common mobile ad hoc networking (MANET)
scenarios, nodes establish communication based on long-lasting
public identities. However, in some hostile and suspicious
settings, node identities must not be exposed and node movements
should be untraceable. Instead, nodes need to communicate on the
basis of their current locations. While such MANET settings are not
very common, they do occur in military and law enforcement domains
and require high security and privacy guarantees. In this paper, we
address a number of issues arising in suspicious location-based
MANET settings by designing and analyzing a privacy-preserving and
secure link-state based routing protocol (ALARM). ALARM uses nodes
current locations to securely disseminate and construct topology
snapshots and forward data. With the aid of advanced cryptographic
techniques (e.g., group signatures), ALARM provides both security
and privacy features, including node authentication, data
integrity, anonymity, and untraceability (tracking-resistance). It
also offers protection against passive and active insider and
outsider attacks. To the best of our knowledge, this work
represents the first comprehensive study of security, privacy, and
performance tradeoffs in the context of link-state MANET
routing.Index TermsPrivacy, communication system security,
communication system routing, mobile communication, location-based
communication, military communication.1 INTRODUCTIONURING the last
two decades, research in various aspects of mobile ad hoc networks
(MANETs) has been very active, motivated mainly by military,
disaster relief, and law enforcement scenarios. More recently,
location infor- mation has become increasingly available through
small and inexpensive GPS receivers, partially prompted by the
trend of introducing location-sensing capabilities into personal
handheld devices [38]. A natural evolutionary step is to adopt such
location-based operation to MANETS. This results in what we term
location-based MANETS. In such a MANET, devices rely on location
information in their operation. The main distinguishing feature of
the envisaged location-based MANET environment is the communication
paradigm, based not on permanent or semi-permanent identities,
addresses or pseudonyms, but on instantaneous node location. In
other words, a node (A) decides to communicate to another node (B),
depending on exactly where (B) is located at present. If node
location information is sufficiently granular, a physical MANET map
can be constructed and node locationsinstead of persistent node
identitiescan be used in place of network addresses. In some
applications, such as military, law enforcement and
search-and-rescue, node identities are not nearly as useful as node
locations. Such critical settings have certain characteristics in
common. First, node location is very importantknowledge of the
physical, as opposed to logical or relative topology, enables
avoiding wasteful communication and focusing on nodes located
within a. The authors are with the Computer Science Department,
University of
California, Irvine, Bren Hall, 3rd Floor, Irvine, CA 92697-3435.
E-mail: [email protected], [email protected],
[email protected] received 2 Nov. 2009; revised 16 Oct.
2010; accepted 28 Oct.2010; published online 20 Dec. 2010.
For information on obtaining reprints of this article, please
send e-mail to: [email protected], and reference IEEECS Log Number
TMC-2009-11-0474. Digital Object Identifier no.
10.1109/TMC.2010.256.
specific area. Second, critical settings must contend with
security and privacy attacks. Security attacks might attempt to
distribute falseor impede propagation of genuinerouting
information. Whereas, privacy attacks aim to track nodes as they
move.When the operating environment is hostile, as is the casein
military and law enforcement settings, node identities must not be
revealed. We use the term hostile to mean that communication is
being monitored by adversarial entities that are not part of the
MANET. If we further assume that genuine MANET nodes do not even
trust each other (perhaps because of possible node compromise,
i.e., the environment is suspicious), the need to hide node
identities becomes more pressing. Also, in this setting, it is
natural for node movements to be obscured, thus making it
impossible (or, at least, very difficult) to track a node, even
without knowing its identity. While such suspicious and hostile
MANET environments might not be very common, they do occur in
military and law enforcement domains and require high security and
privacy guarantees.In this paper, we consider what it takes to
provide privacy-preserving secure communication in hostile
andsuspicious MANETS. We construct a protocol for Anon- ymous
Location-Aided Routing in MANETS (ALARM) thatdemonstrates the
feasibility of simultaneously obtaining, strong privacy, and
security properties, with reasonable efficiency. In this context,
privacy means node anonymityand resistance to tracking. Whereas,
security includes node/origin authentication and location
integrity. Although it might seem that our security and privacy
propertiescontradict each other, we show that some advanced
cryptographic techniques can be used to reconcile them.The rest of
this paper is organized as follows: We discuss design choices and
assumptions in Sections 2 and 3, followed by description of the
adversarial model in Section 4. The ALARM protocol is presented in
Section 5 and its security is analyzed in Section 6. Performance
analysis and1536-1233/11/$26.00 2011 IEEE Published by the IEEE CS,
CASS, ComSoc, IES, & SPSTABLE 1Computation Costs, Signature,
and Key Size for a Group Signature (GSIG) [7] and EC-DSA [10]
simulation results are discussed in Sections 7 and 8, followed
by an overview of related work in Section 9. Table 2 contains a
summary of the notation used throughout the paper. The paper
concludes with a summary in Section 10.
2 DESIGN CHOICESWe begin by justifying our design choices, in
particular the use of link-state routing. We then overview the
crypto- graphic construct of group signaturesone of the principal
building blocks in our protocol.2.1 Routing Protocol ChoicesMANET
routing protocols can be roughly partitioned into two groups:
reactive (or on-demand) and proactive. The latter can be further
broken down into link-state and distance-vector (including
path-vector) protocols. Reactive protocols typi- cally use route
discovery to identify a route to a given destination. The notion of
discovering the destination is premised upon the source knowing the
persistent identity or address of the destination. This assumption
is invalid in our MANET scenario, since the destination is selected
based on its current location, which is not known to the source a
priori. Consequently, we claim that reactive routing proto- cols
are unsuitable for the problem at hand.Distance vector (DV)
protocols [34] inherently offer relatively weak levels of security.
A single compromisednode can easily create any number of phantom
node- location entries and propagate them to the entire MANET,thus
poisoning everyones DV tables. This issue can be addressed, in
principle, by using a path vector protocol (e.g., BGP [5]) along
with some security enhancements (e.g.,BGP-SEC [21]) where each
Source-Destination path compo- nent is signed. However, verifying
On r signatures,where n is the number of nodes an r is the network
diameter, would be very expensive. Also, as is well-known, DV
protocols exhibit slow convergence, which can beproblematic in
highly-mobile MANETs.The alternative is link-state (LS) routing
protocols, such asOLSR [28]. One advantage of LS protocols is that,
unlike their reactive counterparts, they obviate the need for route
discovery. This makes LS protocols suitable for real-time
applications that impose strict delay constraints. On the other
hand, LS protocols do not scale well due to excessive broadcastingn
updates flooded throughout the MANET for each update period.
However, this has been mitigated in OLSR by reducing the number of
nodes that forward routing control messages to a subset of the
first hop neighbors of any node, called multipoint relays (MPRs).
In addition, since our goal is to accommodate relatively
modest-sized MANETs (on the order of tens or few hundreds of
nodes), scalability can be easily achieved. (This is discussed
further in Section 7). Furthermore, LS allows us to achieve
stronger
TABLE 2Notation Summary
security, since origin authentication and integrity of LS
updates can be easily supported. There are a number of well- known
techniques that achieve this, e.g., [40] and [3], [37].
The main challenge arises from the need to reconcilesecurity and
privacy (anonymity and untraceability) require- ments that we
address below. Based on the above discussion, we consider
link-state to be best-suited for supporting location-based routing
with the privacy and security features described earlier. In the
rest of this paper, we use a simple flooding-based scheme to
illustrate the operation of ALARM. However, we note that any
optimization for reducing LS flooding overhead (e.g., MPR-based
flooding in OLSR), can be easily integrated into ALARM.2.2 Group
SignaturesGroup signatures can be viewed as traditional public key
signatures but with additional privacy features. In a group
signature scheme, any member of a large and dynamic group can sign
a message, thereby producing a group signature. (However, each
member has its own unique private key, as described in Appendix A,
which can be found on the Com- puter Society Digital Library at
http://doi.ieeecomputer society.org/10.1109/TMC.2010.256). A group
signature can be verified by anyone who has a copy of a
constant-size group public key. A valid group signature implies
that the signer is a genuine group member. At the same time, given
two valid group signatures, it is computationally infeasible to
decide whether they are generated by the same (or different) group
members. Furthermore, in case of a dispute over a group signature,
a special entity called a Group Manager (GM) can open a group
signature and identify the actual signer. This important feature is
called Escrowed Anonymity. Based on the above, it seems that group
signatures are a perfect fit for our envisaged MANET setting. A
mobile node can periodically sign its current location (link-state)
informa- tion without fear of being tracked, since multiple group
signatures are not linkable. At the same time, anyone can verify a
group signature and be assured that the signer is a legitimate
MANET node. (A more detailed description of group signatures can be
found in Appendix A, which can be found on the Computer Society
Digital Library at http:// doi.ieee
computersociety.org/10.1109/TMC.2010.256).Table 1 shows timings for
group signature generationand verification, compared to standard
Elliptic Curve DSA (EC-DSA) measured using OpenSSL [2].1
Measurements are reported as in [10]. They were obtained on a 1.5
GHz Centrino processor. The processing power used is a close1. Note
that security levels on elliptic curves correspond to 1024-bit
security in RSA-like settings.approximation of the European Union
Cooperative Vehicle- Infrastructure System (EU-CVIS) vehicle PC, a
platform adopted for future development of vehicular ad hoc
networks (VANET) applications [1].
3 ASSUMPTIONS AND GOALSThe following assumptions are necessary
in ALARM:.Location. Universal availability of location informa-
tion: Each node is equipped with a device that provides accurate
positioning information, e.g., GPS..Mobility. Sufficiently high
mobility: A certain minimum fraction (or number) of nodes move
periodically, such that tracking a given mobile node from one
topology snapshot to the next requires distinguishing it among all
nodes that have moved in the interim..Time. All nodes maintain
loosely synchronized clocks. This is easily obtainable with
GPS..Range. Nodes have uniform transmission range.Once a node knows
the current MANET map, it can determine node connectivity (i.e.,
transform a map into a graph).2ALARM has the following
goals:.Privacy. There are no public node identities or addresses.
Each node is anonymous and its occur- rences at different locations
(movement patterns) cannot be linked; we elaborate on this
later..Security. The network must be resistant to passive and
active attacks stemming from both outsiders and malicious (e.g.,
compromised) insiders..Performance. Security and privacy goals must
be achieved without undue sacrifices in performance (i.e., without
requiring excessive computations and/ or high delay).4 ADVERSARIAL
MODELAs stated earlier, we are concerned with both outsider and
insider adversaries and attacks. However, our adversarial model
does not take into account adversaries that physically track nodes,
e.g., visually or using physical-layer signal finger-printing.
Furthermore, we do not consider adver- saries that mount
denial-of-service (DoS) attacks by creating sinkholes, wormholes
and other topological abnormalities.4.1 OutsidersAn outsider can be
passive or active. It does not have any keys used for encryption or
authentication. Its goal is to violate privacy, security or both. A
passive outsider eavesdrops on all communication and aims to
compromise privacy, i.e., track nodes. It does not engage in any
active attacks (i.e., does not inject, modify and replay any
messages). By definition, a passive outsider can not be stronger
than a passive insider that has encryption and authentication keys.
By providing protection against passive insiders (see below),
protection against passive outsiders is obtained for free. An
active outsider can inject, modify and replay messages. Its goals
can include disruption of routing, node impersonation, and2. If
transmission range is not uniform, each node should include its
transmission range in its location announcement message.
creation of phantom nodes, e.g., via Sybil attacks. An active
outsider does not know any keys and is not stronger than an active
insider.4.2 Passive (Honest-but-Curious) InsidersA passive insider
possesses all cryptographic keys used for network-wide
encryption/authentication. It can eavesdrop on all exchanged
messages, and outwardly behaves correctly by following all rules
and protocols. In other words, it sends no fraudulent messages,
does not attempt to impersonate other nodes, and does not delete or
modify other nodes traffic. Behaving otherwise would attract
attention and could result in eventual detection and exposure.
However, a passive insider is not assumed to be silent, i.e., its
commu- nication patterns are not different from those of non-
malicious nodes. A passive insider can also attempt to track other
nodes movements by linking different location announcement messages
or using trajectory information.4.3 Active InsidersAn active
insider is the most powerful adversary type. It can modify, inject,
and replay genuine messages. In more traditional MANET settings,
the identity of each node is known and the power of the active
insider is constrained, since its activity can be detected and/or
traced. However, since privacy is one of our main goals, nodes have
no persistent identities. Therefore, an active insider can easily
modify or inject seemingly genuine routing messages, thus
masquerading as other nodes. Concretely, we consider two kinds of
active insider attacks:.Sybil attack: Adversary creates one or more
phantom nodes by generating fake routing control messages
ostensibly from these nodes locations. Even though these routing
messages contain valid authentication information (e.g.,
signatures), other nodes cannot link them to the originating
malicious node..Location fraud: Adversary lies about its own
location.This can be harmful in situations where node communication
is location-centric. For example, a malicious insider claiming a
certain fake location can result in attracting (or repelling)
traffic.We note that the insider adversary is clearly not
restricted to either attack type, i.e., it is free to blend them.5
ALARM PROTOCOLThis section describes basic operation of ALARM and
its limitations. It then outlines several extensions that mitigate
such limitations. Table 2 contains the notation used to describe
the ALARM protocol.5.1 Basic OperationThe basic steps in ALARMs
operation are as follows:1. Initialization (Offline)a. The group
manager (GM) initializes the under- lying group signature scheme
and enrolls all legitimate MANET nodes as group members. During
this phase, each member (node) creates a unique private key
(SKmember ), that is not revealed to anyone. This key is needed to
produce valid group signatures. It also creates
Fig. 1. MANET Topology Snapshot in ALARM
a corresponding public key (P Kmember ), that is revealed only
to the GM. In addition, each member learns the common group public
key (P KGM ) that is subsequently used to verify group signatures.
In case of a dispute and for offline forensics, GM is responsible
for opening any contested group signatures and determining actual
signers.b. Depending on the specific group signature
Fig. 2. ALARM LAM message format.LAMs, each node constructs a
geographical map of the MANET and a corresponding node connectivity
graph. A flowchart describing this sequence of steps is shown in
Fig. 6.
Between successive LAMs, a node can be reached (addressed) using
a temporary pseudo- nym formed as current location concatenated
with the group signature in the last LAM(T mpI D fLocationkGSigg).
Note that the pseudonym represents a valid address even if the
actual node moves in the interim. The location is included in the
pseudonym in order to minimize required state and assist in
the3scheme, GM might also handle future joins for
forwarding process.
If the location is not part ofnew members as well as revocation
of existing members. However, in most envisaged MANET scenarios,
membership is likely to be fixed, i.e., all joins can be done in
bulk, before deployment. Also, revocation might not be feasible or
desired, since it would require propagatingin real- timeupdated
revocation information to all legitimate nodes. However, if dynamic
member- ship is necessary, ALARM can support it, with minor
additional assumptions.2. Operation (Online)a. Time is divided into
equal slots of duration T . At the beginning of each slot, each
node s generates a temporary public-private key-pair: PK-TM Ps and
SK-TM Ps , respectively. PK-TM Ps is sub- sequently used by other
nodes to encrypt session keys to establish secure channels with s.
Note that these keys can be generated offline.b. Each node
broadcasts a Location Announcement Message (LAM), containing its
location (GPS coordinates), time-stamp, temporary public key (PK-TM
Ps ), and a group signature computed over these fields. Each LAM is
flooded through- out the MANET (more on the overhead and
scalability of the flooding process in Section 7). Fig. 2 shows the
LAM format used to construct the network topology snapshot in Fig.
1. The sequence of steps required for sending a LAM is shown in the
flow chart in Fig. 5.
c. Upon receipt of a new LAM, a node first checks that it has
not received the same LAM before, it then verifies the time-stamp
and group signature. If both are valid, the node rebroadcasts the
LAM to its neighbors. Having collected all current
the pseudonym, a node forwarding a message toa pseudonym would
have to look up the associated location and decide how to forward
to that location. (See below for more details on the forwarding
process). Including location in the pseudonym speeds up the
forwarding process and requires fewer look-ups.d. Whenever a node
desires to communicate with a certain location, it checks to see if
any node currently exists at (or near) that location. If so, it
sends a message to the destinations current pseudonym (T mpI D).
This message is encrypted with a session key using a symmetric
cipher. The session key is, in turn, encrypted under the current
public key (PK-TMP) included in the destinations latest LAM. When
the destination receives the message, it first recovers the session
key and uses it to decrypt the rest. ALARM is not restricted to any
specific public key technique. One obvious choice is Diffie-Hellman
(DH) [16], whereby each LAM includes an ephemeral (period-specific)
DH half-key. The sender then simply generates its own DH half-key,
computes a shared key and encrypts the session key with it.
Clearly, the senders half-key must be included in the clear-text
part of the message. Other key agreement schemes can also be used.
The sequence of steps involved in determining a destination node is
shown in Fig. 4.
e. Forwarding: As described above, nodes dissemi- nate current
topology by periodically flooding LAMs. Once each node has the
entire topology view, it decides whether to communicate with a3. An
earlier version of ALARM [18] had the pseudonym consisting only of
the group signature.
Fig. 3. ALARM data message format.
Fig. 4. ALARM communication decision flow-chart.certain location
(node). Message forwarding is independent of topology
dissemination. One option is for a node to create a source route,
explicitly encoding locations of nodes on the path to the
destination. The actual path can be computed using the shortest
path algorithm or any other location-aided routing algorithm, such
as [35], [27] or [31]. For example, consider the simple topology of
Fig. 1. Assume that the node at location1 (T mpI D1
fLocation1kGSig1g) re- quires sending a message to another node at
location4 (T mpI D4 fLocation4kGSig4g). The sender calculates the
route to location4 and determines that it has to pass through
location2 and location3. It then generates a session key (Ks ) and
encrypts data with that key using a symmetric cipher (e.g., AES).
It then uses the public key in the last LAM of location4 to encrypt
Ks and assembles a data message with the destination set to (T
mpID4) and sourceto (T mpI D1). It finally composes a source
route:< T M P ID2;T M P ID3 > . The ALARM data message format
is shown here in Fig. 3.
3. Forensics (Optional, offline). Each node logs all sent and
received LAMs (except duplicates). Collectively, this information
constitutes an operational log that is, after each field
deployment, transferred to an offline server, e.g., GM. All LAMs
collected by all nodes are then reconciled and, in the process, all
group signatures are verified and opened by GM. Each group
signatures originator is thus identified.
Fig. 5. ALARM sender process.
Fig. 6. ALARM LAM receiver process.This process allows most
insider misbehavior, such as Sybil attacks, to be detected post
factum. The only insider attacks that might not be identifiable
using logs is location fraud. (This is discussed in Section 6).
In general, operational logs are used for account-ability
purposes by allowing GM to reconstruct the exact sequence of node
movements and topology snapshots. We stress that this is an
optional proce- dure that does not incur any additional overhead
(beyond storage) during online operation of ALARM. Assuming LAM
size of 350 bytes (8 for location, 4 for time-stamp, 128 for
temporary key, and 200 for short group signature [6]), a network of
100 nodes deployed for a week and topology update frequency of 10
LAMs per minute, combined storage for all operational logs would
amount to around 3.5 GB.
4. ALARM Limitations. The main advantage of the basic ALARM
protocol is its simplicity and effective- ness. However, it has two
notable drawbacks: 1) Since flooding is used to disseminate LAMs,
scalability becomes problematic for large MANETS (thousands of
nodes); 2) any node can lie about its location or generate multiple
LAMs as part of a Sybil attack.5.2 ExtensionsWe now describe some
extensions to the basic ALARMprotocol that address scalability and
insider threat issues.5.2.1 ScalabilityIf a MANET is sufficiently
large for flooding to cause significant overhead, a hierarchical
approach can be used to limit its scope. Similar ideas have been
explored in GeoGRID [35] and OLSR [28]. In GeoGRID, the network is
partitioned into logical grids, with a single elected node acting
as a gateway for each partition. Only gateways forward packets to
other gateways, which limits the scope of flooding. In OLSR, each
node selects only a subset of its immediate neighborseach called a
multipoint relay (MPR)that forwards its routing control messages.
MPRs are selected such that there is a route to every second-hop
neighbor through one MPR. MPR selection was shown to significantly
reduce routing overhead without worsening routing perfor- mance. In
Section 7, we explore routing control overhead in ALARM and show
how it affects scalability.5.2.2 Group Signatures with
Self-DistinctionAs discussed above, ALARM takes advantage of group
signatures to simultaneously obtain node anonymity and
authentication. Any group signature scheme can be used with ALARM
to protect against attacks by outsiders and passive
(honest-but-curious) insiders. However, if resistance to Sybil
attacks is needed, the underlying group signaturescheme must offer
the additional self-distinction feature.
have the same pseudonym, even if they are at the same exact
location, at the same time. Despite their advantages, group
signatures are expensive in terms of generation and verification
costs as well as size (as shown in Table 1). There is still an
order of magnitude difference in both computa- tional and
storage/bandwidth cost between group signa- tures and their plain
counterparts.An alternative approach that emulates the
functionalityof group signatures is using one-time certificates.
Initially, an offline Certification Authority (CA) issues to each
node (Ni ) a number of public key certificates: C1 ; ... ; Cm
whereiim is the maximum number of time-slots for a givenMANET
deployment. Each certificate (Cj ), includes the following
fields:1. Unique public key (P Kj ) for a plain
(nongroup)isignature scheme, e.g., RSA or DSA. We assume thatthe
specific signature scheme is global and fixed beforehand.2.
Time-stamp indicating the future (jth) time-slot when this
certificate can be used.3. CAs signature of the certificate: j
.
The public-private key-pair for each certificate can be either
generated by CA or by each node independently. In the latter case,
CA has to make sure that all PKj s are uniqueSelf-distinction is an
optional feature that is offered by
across all nodes. For each Cj ,
a node is assumed to know(or that can be added to) some group
signature schemes, such as [4] and [51]. It prevents attacks
involving a genuine group member who signs multiple messages all
purpotedly originated by distinct signers. In our suspicious MANET
context, this feature can precisely address Sybil attacks, where a
legitimate node assumes several pseudonyms and pretends to be at
several locations at once. Self-distinction seems to contradict
what group signatures try to achieve, i.e., anonymity and
unlinkability. However, in our context, self-distinction implies
that each node can have at most one identity within a given LAM
interval. Thus, node privacy across time slots is still
preserved.Two examples of group signatures with
self-distinction
the corresponding private key (SKj ).To estimate storage
requirements, consider MANET deployment of one week with 10 LAM
updates per minute. A total of 7 24 60 10 100;080 one-time
certificates will be required. Assuming standard X.509-type format
[53] with a certificate size of 1 KB, each node requires 100 MB of
storage. This is reasonable for modern PDA-class MANET nodes.The
operation of ALARM with one-time certificates isslightly different
from the description in Section 5.1:
.When constructing a LAM for current time-slot (j), each node
(i) includes the entire certificate (Cj ) in its LAM, instead of
PK-TMP only.are [51] and [4]. The intuition behind these constructs
is that a signer (group member) proves its distinction from others
while signing a message. This is achieved by having nodes first
agree on some common parameter, e.g., a common random number. This
parameter varies for each round of signing. If a node uses the same
parameter to sign twicewithin the same round, the two group
signatures would
.Each LAM contains a signature ( ) with SKj , corresponding to P
Kj included in Cj . Recall iCj can only be used in the current
time-slot..Upon receipt of a LAM, each node checks if the time-
stamp and the certificate in the LAM match the current time-slot.
It then validates the certificate Cjby checking CAs signature.
Finally, it verifies LAMjjhave matching components that would
immediately signify misbehavior. The challenge with adopting such
schemes in ALARM is in generation of this common parameter. One
straightforwardbut inefficientapproach is to run a group key
agreement protocol at the beginning of every time-slot and use the
resulting group key as the common parameter. This is clearly
unscalable. An alternative and more efficient approach is to use a
group key agreement protocol just once, in order to agree on the
initial common parameter. Another possibility is for GM to generate
and distribute this starting value.5.2.3 One-Time CertificatesGroup
signatures offer a number of benefits. Any node receiving a LAM can
verify that it was produced by a legitimate peer. At the same time,
node pseudonyms are unlinkable, which inhibits tracking. Also, no
two nodes
signature ( ) using P Ki extracted from Ci . If verifica-tion
succeeds, it logs and rebroadcasts the LAM.It is easy to see that,
as long as all PKj values are independent, linking multiple LAM-s
originating from the same node is infeasible. Moreover, one-time
certificates offer effective and inexpensive mitigation of most
insider attacks. This is because each node only knows its own
sequence of one-time certificates and corresponding secret keys.
Sybil attacks are prevented by tying each certificate to a fixed
time- slot and only allowing (via controls by the issuing offline
CA) the use of one certificate per node, per time-slot. The only
insider attack not addressed here is insider location fraud.The
main drawback of one-time certificates is the require-ment to
predetermine maximum duration of MANET deployment. Another issue is
additional storage for certifi- cates. On the other hand, both
generation and verification of LAM signatures is much faster than
with group signatures.5.2.4 Sequential Aggregate Signatures
(SAS)This extension leverages the fact that each node already
includes a temporary public key in its LAM. A node first sends its
own LAM before forwarding LAMs of other nodes. A node can use its
private key to sign other forwarded LAMs. Such signatures can be
aggregated (e.g., Sequential Aggregate Signatures) to maintain a
constant size LAM. An adversary launching an active attack (by
generating phantom nodes, impersonating other nodes and/or lying
about its location) will be detected due to mismatching signatures
in received LAMs. Note that these are not group signatures, but
sequential aggregate signa- tures (SAS) that are constant in size.A
similar approach has been used to secure routediscovery in the DSR
routing protocol in [30]. One such SAS construct is based on RSA
[36] and its signature generation cost is equivalent to a plain RSA
signature. Verification cost, on the other hand, increases linearly
with number of signers (nodes) on the path. However, this cost can
be minimized by using small public exponents (e.g., 3 or17). Such
small exponents speed up verification by a factor of ten [30]. We
demonstrate how this extension would operate with an example based
on the SAS scheme from [37]:
1. Assume that a nodes ith private key is SKi xi and its public
key P Ki consists of the pair (ni ,yi ), where xi yi 1mod ni . This
is a typical RSA [43] setting.2. The only requirement for the
RSA-based SAS scheme is for all modulii to be of roughly the same
length. The signature expands by t bits b1 ; b2 ; ... bt where t is
the number of signers in the aggregate signature.3. During
operation, if the ith signature i ni1 then bi is set to 1;
otherwise, it is set to 0. During verification phase, if bi 1 then
ni1 is added to i before proceeding with the verification of i
.
4. Consider the following example: Assume thatnode A sends a LAM
through nodes B and C to reach D, the signing procedure is as
follows:a. A: computes hA HLAM ; nA ; yA and A A
5.2.5 Secure HardwareRecent advances in group signature research
have yielded efficient schemes with constant-size signatures and
public keys. There have also been proposals to implement group
signatures using tamper-resistant hardware. For example, [12] shows
how to implement group signature functionality on smartcards. If a
similar implementation is coupled with a tamper-resistant GPS
device, all insider attacks in ALARM can be virtually eliminated.
Specifically, an insider would be unable to lie about its current
location or to mount a Sybil attack. With tamper-resistant
hardware, group signature schemes with self-distinction are no
longer needed, since a node would be prevented from generating more
than one signed LAM within a given time-slot.6 SECURITY
ANALYSISRecall that our adversary model of Section 4 does not
consider physical-layer jamming and denial-of-service (DoS) attacks
on message transmission.6.1 Outsider AttacksA passive outsider
eavesdropping on all LAMs can, at most, obtain exactly the same
information available to any legitimate MANET node (i.e., the
current topology snap- shot). This would only happen if keys used
to encrypt all communication in the MANET are leaked. Thus, a
passive outsider is at most as powerful as a passive insider and,
thus, protection against it is guaranteed as a side effect of
thwarting passive insider attacks.Since group signatures attached
to each LAM areuntraceable and unlinkable, the only way to track
nodes is by guessing possible trajectories. However, as discussed
in Section 3, our MOBILITY assumption involves a minimum number of
nodes (k out of n) moving within each time-slot. Thus, tracking
movements of a given node translates into k-anonymity [48], i.e.,
the problem of identifying one out of k possible nodes. However, we
note that, if LAM-s are encrypted using a group-wide key, topology
informationwould become completely invisible to eavedroppers.
AnhA
mod nA . A is then added to the LAM.
outsider would only be able to determine node presence atb. B:
If A nB , set A A nB and b1 1, elseb1 0 computes hB H LAM ; nB ; yB
and AB A hB xB mod nB . AB is then added to the LAM instead of A
.
c. C: If AB nC , set AB AB nC and b2 1, else b2 0 computes hC
HLAM ; nC ; yC and ABC AB hC xC mod nC . ABC is then added to the
LAM instead of AB .
d. D: computeshC HLAM ; nC ; yC ;
certain locations. Also, physical-layer techniques, such as
CDMA, can be used to hide transmission from unintended
receivers.Active outsider attacks are addressed in ALARMthrough the
use of LAM time-stamps and group signatures. An active outsider
cannot inject new LAMs or modify any existing LAMs, since it has no
group signature capability. Replays are trivially prevented by LAM
time-stamps.6.2 Passive Insider AttacksA passive insider
(legitimate MANET node) can, by design, 0yCAB ABC hC mod nC ;
obtain all LAMs and determine their authenticity by verifying AB
0
b2 nC ;
corresponding group signatures. But, also by design, it canpthB
HLAM ; nB ; yB ; 0yBA AB hB mod nB ;
neither identify nor link nodes that generated these LAMs,since
group signatures are untraceable. A passive insider with other
means of collecting mobility information, e.g., A 0
b1 nB ;
by visual monitoring, can determine that a certain nodehA HLAM ;
nA ; yA ;and finally checks if yA modnA equals hA .
e. Signature verification fails if a LAM does nottravel the same
route as it should.
remains stationary. This might happen if, in two
consecutivetime-slots, the insider physically (i.e, visually)
observes lack of mobility and also receives two LAMs referring to
the same location. Clearly, there is no protection against such
attacks, since they involve adversarys physical presence.TABLE
3Security of Extensions Against Active Insider Attacks
A passive insider can attempt to track a nodes move- ments by
using viable trajectory information [26]. This attack is possible
if the adversary knows the MANET topology, as well as approximate
node speed and trajectory, and direction of movement of a given
node. If nodes do not move along straight lines and their direction
is randomized, or, if a group of nodes move closely together or
intersect paths, such attacks fail or degenerate to k-anonymity. We
use simulations to evaluate the loss of privacy due to such
attacks; see Section 7 for details.6.3 Active Insider AttacksThe
basic incarnation of ALARM is not secure against active insider
attacks in real time. Section 5.2 presented extensions that
mitigate such attacks (see Table 3):
.As discussed in Section 5.2.2, group signature schemes with
self-distinction can be used to prevent Sybil attacks, albeit, at
extra computation and communication cost..If each node has a secure
hardware component (Section 5.2.5) housing group signature
generation, Sybil attacks can be prevented without
requiringself-distinction from the underlying group signature
traffic overhead [9]. We examine this overhead in ALARM by
analyzing the maximum manageable neighborhood size using the model
proposed in [9]. We compare ALARMs neighborhood size to that of
OSPF [39] and OLSR [28]. We show that, in a 2D network model
without fading, maximum neighborhood size is limited to 16 nodes in
the basic OSPF protocol (42 for a modified version), whereas it is
45 in the basic unoptimized ALARM and 62 in OLSR. This shows that
the overhead of the basic ALARM protocol is close to that of OLSR,
which is honed to minimize control traffic overhead and does not
provide any privacy features. ALARM can be optimized (similar to
OLSR) by restricting the number of nodes that forward LAMs. ALARMs
lower overhead is, because it omits OLSR neighbor sensing phase,
due to the use of locations for addressing. If further optimized,
ALARM would outperform OLSR.
7.2 Neighbor and Network Topology ModelsThe model in [9] assumes
a network with N transmitters distributed according to a Poisson
process with a rate parameter ( ). Density of transmitters per time
slot and per square area unit is fN =A, where f is packet transmis-
sion rate per slot, per node, and A is the area. A node is
considered a neighbor of another node if probability of receiving
HELLO messages from each other is greater than a certain threshold
p0 (typically p0 1=3). A packet can be decoded if its
signal-to-noise ratio exceeds a given threshold K (typically K 10).
A node is a neighbor of another node if the distance between them
(r) is such that the probability of receiving a certain signal
intensity is greater than the threshold p0 . Specifically this
probability is defined as: P W < r =K > p0 , where r < r .
r is the criticalradius such that R r wxdx p0 . If W is the
signalintensity received by node X
at a random slot then W is ascheme. If secure hardware also
encompasses a GPSreceiver, location-fraud is easily prevented. How-
ever, ubiquitous secure hardware is clearly an expensive
option..Through the use of one-time certificates (Section 5.2.3)
ALARM can prevent Sybil attacks, but not location- fraud..The use
of sequential aggregate signatures (Sec- tion 5.2.4) can help
prevent Sybil and location-fraud attacks.In addition, Sybil attacks
can be easily detected offline, if the optional forensics feature
is enabled and operational logs are later off-loaded to GM for
analysis.7 PERFORMANCE ANALYSISWe now analyze ALARMs routing
overhead and compare its scalability to other link-state routing
protocols. We then consider the delay caused by periodic flooding
of LAMs. Finally, we discuss the effect of node mobility on route
availability. The goal of this section is to demonstrate that
security and privacy features of ALARM do not introduce high
overhead that hurts scalability and performance.7.1 Control Traffic
OverheadIn any MANET link-state routing protocol, the number of
hops between any random source-destination pair increases when
neighborhood size decreases, thus influencing control
random variable with wx as its density function [9]. By
integration, r 1=2 r1 and the surface covered by radius r is the
neighborhood area 1= . The constant 1 for different values of and
can be computed as in [9]. Specifically, for 2:5 and 1, P W < x
reaches p0 1=3 close to x x0 20. Therefore, r1 x0 K 1= 0:12 and 1
0:045.
This model assumes that the total number of nodes isN A where is
node density per unit area. If represents network traffic density,
the average number of neighbors per node is [9]
M 1 = : 17.3 Link-State OverheadOur goal is to derive traffic
density caused by ALARM control packets. There are two sources of
control traffic in link-state protocols: 1) neighborhood sensing
(e.g., HELLO messages), and 2) topology discovery via link-state
announcements (LAMs in ALARM).Neighborhood sensing is the same for
most link-stateprotocols; each node periodically broadcasts a HELLO
containing the list of neighbors heard by it. By comparing their
lists nodes determine the set of neighbors for which they have
symmetric links. This is not the case in ALARM, because each node
is aware of its own location, mere knowledge of anothers location
is sufficient to determine whether that node is a neighbor.Assume h
is the neighborhood information refresh rate
For the special case of N M (i.e., a single-hop network),and let
B be the maximum number of node identifiers within
q3
ALARM
45 for B 400.
a slot. We assume that each identifier (a group signature anda
location) is about 250 bits (see LAM format in Fig. 2.) For a MANET
with a capacity of 100 MBps, there are 1,000 slots per second,
assuming a slot can carry 100 KB, i.e., 1 msec. Thus B 100Kb=250b
400. If the neighbor list exceeds B, several HELLOs are generated
per update period. A node must generate dM e HELLOs per period.
This leads to traffic density of h dM e. Omitting fractional parts,
we have [9]
M h B :2If HELLOs are the only source of control traffic, sinceM
1 = , we get 1 MM h B :3This is only an upper bound because the
network may be smaller than 1. In OLSR, a node generates HELLOs
every 2 seconds, i.e., h 1=2;000. Therefore, the maximum manageable
neighbor size with only the HELLO controltraffic is pB 1=h 190. The
basic ALARM protocol doesnot have HELLO messages; so, the previous
upper bound does not apply.We now express only in terms of ALARM
protocol
To summarize, the basic ALARM incarnation canachieve 0.73
(45/62) of maximum neighborhood size, compared to OLSR. A modified
OSPF (to improve performance) under assumptions given above can
only achieve 0.677 (42/62) of maximum neighborhood size, compared
to OLSR. Because routing overhead is inversely proportional to
neighborhood size, ALARM would incur slightly higher overhead than
OLSR, which is the price for its simplicity and its privacy
features. We note that a simple modification to ALARM that makes
nodes selectively forward LAMs (similar to MPR selection in OLSR)
would result in significantly lower overhead.7.4 Time to Construct
Network TopologyRecall that LAMs are periodically flooded to
facilitate timely update of topology information. This requires
that cumulative LAM propagation delay (Tprop ) coupled with group
signatures verification delay (Tver ) be smaller than LAM flooding
period. We now assess the feasibility of this constraint and
analyze the relationship between number of nodes and area size for
which it can be satisfied. Time to construct topology (Ttop )
isTtop Tprop Tver ;7where Tver N T ver is time to verify all N
group signatures.overhead (similar derivation for OLSR and OSPF can
be
Time to verify a single group signature
gsig depends on thefound in the Appendix). We assume that, in
all protocols,the topology discovery and control (TC) update period
are the same. For the standardized OLSR [28], TC rate per node is
1=5;000 (i.e., every 5 seconds, which we also use as a LAM flooding
period in ALARM and also in OSPF).ALARM Model: A node periodically:
1) transmits itsLAMs with rate h, and 2) retransmits received LAMs
with some delay (one copy to all M neighbors). Thus, ALARM traffic
density satisfies4
specific group signature scheme. For example, using thegroup
signature scheme of Table 1, a node can verify about60 group
signatures in less than a second. For small to medium-size networks
(of 10 s or 100 s of nodes) such performance is reasonable. Faster
group signature schemes exist, however, they feature longer
signature and key sizes. Tprop is the total time to transmit all (N
2 ) LAMs to all nodesN 2 LAM M
Tprop
sizeM axN umT x BW
;8 NFrom (1) and (4), we get
B :4
where LAMsize is LAM size, BW is the bandwidth of the underlying
wireless channel (e.g., 10 MBps), and M axN umT x is maximum number
of simultaneous trans- 1 M NDropping the ceiling results in
M B
:5
missions. We now estimate the latter using a medium access
protocol based on the DCF function (as in the IEEE
802.11 MAC). The analysis is based on the model in [56]. In
general, for node j to correctly receive a signal from node i, the
signal to noise ratio has to exceed a certain thresholdr 1B
(capture threshold, z0 )M N
:6
Pi ijThis represents the relationship between network size Nand
average neighborhood size M . The minimum neighbor-
SI R N P0 ki
P > z0 ;9k kjhood size M is 1, below which the network no
longer has any significant connected components. The maximum size
of the network N is obtained when M 1, then 1B
where Pi is transmission power of node i, ij / d is channel gain
between nodes i and j (with d being distancebetween i and j and
power loss exponent assumes values between 2 and 4), N0 is
background noise power and z0 ranges from 1 (perfect capture) to 1
(no capture). WeNmax
90;000 for B 400 with 1
assume that N0 is small and the transmit power is constant.
0:045 and 1=5;000:
4. We neglect the term of sending a nodes own LAM with rate h
because it is one message of constant size independent of the
number of neighbors. Taking it into account would only slightly
affect neighborhood size.
In the general case with multiple interferes, the number
ofsimultaneous senders is maximized when they are located as close
as possible. In this setting, each transmission does not interfere
with the rest of the senders. The model in [56] shows such an
arrangement and only considers the first-tier
Fig. 7. Maximum number of nodes satisfying different LAM
flooding periods for various area sizes. (LAMsize 350 bytes, BW 10
MBps, fprd 0:1,LAMprd 5 seconds if not varied). (a) Varying
sender/receiver distance, (b) varying LAM period, (c) varying nodes
per unit area (Poisson ).(one hop away) interferes, since their
interference is much stronger than that of second-tier (two hops
away). The worst-case interference with respect to communication
from i to j occurs when distances from j to the six interferes are
D d, D d, D d=2, D, D d=2, and D d, respectively. Thus, SI R
becomes [56]
d
Network parameters used are LAMsize 350 bytes, BW 10 Mbps, fprd
0:1, LAMprd 5 seconds (in Figs. 7a and 7c).Graphs in Figs. 7a and
7b show maximum number ofnodes satisfying (13) for Tprop LAMprd
fprd with fprd 0:1. Graphs in the Fig. 7c are based on (15). Number
of nodes (y-axis) is plotted for various area Length/Width (x-axis)
for different values of Poisson parameter for node density perSIR 2
D
d
D
D Dd
Dd
; 10
unit area ( , varied between 0.02 and 0.1).
2
2
7.5 Effect of Node Mobility on Route Availabilitywhere d and D
denote sender-to-receiver (i-j) and inter-ferer-to-receiver (k-j)
distances, respectively. Let Dmin be minimum distance satisfying
SIR. Maximum number of concurrent transmissions in area L2 then
becomes
Node mobility affects availability of wireless links, which, in
turn, influences routes over these links. An important question is:
How long do routes persist under different mobility models? An
exhaustive study [20] of effects ofL M axN umT x D
Lp3
2L2 p3D2
:11
mobility on MANET routing protocols has shown that, in aMANET of
40 nodes in a 1,000 m 1,000 m area, movingmin
2 Dmin
min
according to the reference point group mobility (RPGM)To
simplify, we approximate the distance between node j and all
interferes as D. In this case, from the SI R equation (10), we
haveDmin p 6zd:12Using this Dmin to calculate the M axN umT x and
substituting with typical values for the attenuation expo- nent (
2) and the capture threshold (z0 10), the propagation time Tprop in
(8) becomes
model (consisting of one big group), average lifetime of a link
is around 900 seconds for speeds less than 30 m/sec. For a setting
with four groups (of 10 nodes each), link lifetime drops
significantly, but exceeds 240 seconds for speeds up to 50 m/sec.
Link lifetime is around 60 seconds under the Freeway and Manhattan
mobility models [20]. The same study analyzed path lifetime and
showed that similar durations are observed for path availability
(i.e.,100 s of seconds for RPGM and 10s of seconds for RWM,
Manhattan and Freeway Mobility). Bai and Helmy [20] also60d LAMsize
N 2 p3
report that the path availability5
for RPGM (single andTprop
2BW
L2 :13
multiple groups), RWM, Freeway and Manhattan was found to be 100
percent, 92 percent, 97 percent, 99 percent,Assuming that uniform
node distribution (according to aPoisson process with nodes per
unit area) average
and 95 percent, respectively.Recall that ALARM periodically (on
the order ofdistance between nodes becomes d 128 qN
[50]. Tprop
seconds) floods topology updates (LAMs). Between topol-can be
expressed as
45 N 5=2 LAMsize 256
ogy updates, routes would remain stable and available based on
results from [20] showing that routes remain available for several
minutes in RPGM, and for around oneTprop
BW L2
3=2 p
:14
minute under other models (RWM or VANET models, e.g.,We assume
that time available for cumulative LAMs propagation is a fraction
(fprd ) of the LAM flooding period (LAMprd ). Then, the
relationship between maximum num- ber of nodes (N ) and area size
(L2 ) becomess3=2p
Manhattan and Freeway). If traffic patterns are bursty anddata
sessions are short-lived (lasting on the order of seconds) then
mobility would not affect ALARM operation.8 SIMULATION RESULTSN
L4=5
LAMprd fprd bw LAMsize 256
3 :15
We first introduce a new privacy metric to measureALARMs
effectiveness in combating node tracking. WeFig. 7 shows maximum
number of nodes that satisfies different LAM flooding periods for
various area sizes.
5. Fraction of time for which a path between any two nodes was
available.then simulate ALARM with several mobility models to show
its resistance to insider attacks.8.1 Privacy MetricRecall that
ALARM provides node privacy by preventing tracking by both insider
and outsider adversaries. To illustrate its effectiveness, we
define a new privacy metric called Average Node Privacy (ANP).
Basically, ANP is a cumulative version of k-anonymity [48] over
time and averaged over the entire network. Given the successive
topology snapshots during the operation of the network (T
snapshots), ANP represents the average fraction of nodes that a
given node can be equally likely mapped to. This is similar to the
k-anonymity concept where a nodes privacy is preserved by making it
indistinguishable from a set of k other nodes. ANP is computed as
follows:tT iK tAN P X X K Ki ;16
TABLE 4Simulation Parameters
8.2 Effects of Node Mobility on PrivacyWe simulated a MANET with
nodes moving in a square area with 1;000 m side length. Simulations
were performedt1 i1
T K
using the SimPY [46] discrete-event simulation framework.where K
is the total number of nodes in the MANET. T is the number of
snapshots of the network over time. Kt is the number of nodes from
snapshot t to which node i cannot be mapped to, assuming that the
adversary knows where i was at snapshot t 1. The T K2 term in the
denominator normalizes the metric so that it has a maximum value of
1. i depends on the underlying mobility pattern (i.e.,direction and
speed of movement), time between successivetopology snapshots
(i.e., time between two LAMs) and size of the area within which the
nodes move. Between two successive snapshots of the topology, Kt
will include nodes outside a circle defined by r (r node speed LAM
period) as its radius and the location of node i in the first
snapshot as the center.ANP is highest when the best mapping an
adversary canconstruct is one where a node from snapshot t 1 is
equally likely to be mapped to any of the K nodes in snapshot t. In
this case, r is the longest possible traveling distance in the area
of movement (e.g., the diagonal in the case of a square) and ANP
will be 1. When each node can only be mapped to one other node,
then nodes become completely traceable and node privacy is
violated. In this case, an adversary can look at two subsequent
snapshots of the network topology and deterministically map nodes
from the first snapshot to nodes in the second snapshot.To achieve
an ANP of 1 for nodes moving inside an area(L L), the time between
snapshots (LAM period) has to be long enough for the slowest node
to travel a distance equal top
We used four mobility models. Two are entity-based:1. random
walk and2. random waypoint [11]
and the other two are group-based:3. reference point group
mobility model (RPGM) [22]
and4. time-variant user mobility model (TVUM) [29]. TVUM was
developed based on behavior found in wireless network traces
obtained from university networks and isthe closest approximation
of real-life mobility patterns [29].
We summarize simulation parameters in Table 4.
Random Walk Mobility (RWM). In this model, a node chooses a
random destination within the area and moves towards it. Once a
node reaches its destination, it randomly chooses a new one and
starts moving toward it. Random waypoint and RWM have been
criticized to be unrealistic [20], however, we use RWM as a
base-case to show that completely random movements might not yield
the highest level of privacy. Also, RWM could be a reasonable
approximation of mobility in military (e.g., battlefield) settings,
for which no traces are available, for obvious reasons. The results
for RWM are shown in Fig. 8a. Very similar results were also
obtained for the random waypoint model [11]. Fig. 8a shows that,
when the inter-LAM interval is 5 seconds, each node can be mapped
to less than10 percent of other nodes (i.e., ANP 0:1) at speeds
below32 m/sec (about 100 Km/h). If node speed exceeds that, privacy
increases. We note that this ANP of 0.1 means that 1:4 L. In this
case, a node at a location L1 in the
each node cannot be distinguished from 10 other nodes infirst
snapshot is equally likely to be at any other location L2 in the
second snapshot. An adversary that compares these two snapshots and
aims to track a certain nodes movement will at most be able to
determine the mapping between the first snapshot and the second
correctly with probability (1=K) (because of random guessing). If
the adversary wants to track more nodes the probability of success
decreases rapidly. If the adversary wants to track all (K) nodes,
the probability of success will be 1 . The probability of tracking
(i) out of the (K)nodes is K i! .
this setting. Increasing the inter-LAM interval to 10
secondsresults in significant gain in privacyANP of 0.3. This goes
up to 0.7 for a 20 seconds inter-LAM interval.RPGM. Fig. 8b shows
simulation results for the RPGM model. In it, nodes are predivided
into equally sized groups. Each group has a logical center which
defines movement patterns for the entire group, i.e., speed,
acceleration and direction. Each group member is placed randomly in
the vicinity of its reference point, relative to the group center.
This ensures that relative positions of nodes inside the group
change over time. When nodes move according to the RPGM model with
low speeds and with
Fig. 8. Effect of node speed on ANP: Random walk (RWM),
reference point group mobility (RPGM), and time-varying user
mobility (TVUM). (a) Effect of node speed on ANP (RWM), (b) Effect
of node speed on ANP (RPGM), (c) Effect of node speed on ANP
(TVUM).
small inter-LAM intervals, ANP is higher than when all nodes
move independently. Fig. 8a shows the result of simulating 100
nodes divided into 5 equal-sized groups (20 nodes each). ANP in
RPGM is 0.4 at 32 m/sec (instead of0.3 in RWM). This is because the
mobility pattern guarantees that at least nodes within the same
groupremain in each others vicinity. The difference betweenRPGM and
RWM for larger inter-LAM intervals (20 and30 seconds) is small,
(about 0.05), especially, at high speeds, because the area of
possible coverage is large and includes most of the nodes,
regardless of the mobility model.Fig. 9 shows the effect of the
number of groups on AN P under the RPGM model. It is easy to see
that, due to the construction of the model, smaller number of
groups implies better privacy. If we double the number of groups
(assuming constant network size), the number of nodes in each group
is halved and a linear drop in AN P occurs. This is because nodes
in the same group moving more-or-less together are
indistinguishable. We claim that RPGM may be common in
mission-critical settings and its relatively high privacy
illustrates ALARMs suitability in such settings.TVUM. This model
was motivated by two observations typical in traces of mobile
wireless networks: skewed location visiting preference and periodic
reappearance. The distinctive feature of TVUM is in defining
often-visited communities (areas) so as to capture skewed location
visiting preferences and the use of time periods with different
mobility parameters to create periodic reappearance. Each node is
randomly assigned to a community. TVUM defines two time periods:
normal movement period (NMP) and concentra- tion movement period
(CMP). Within a CMP, a node visits its community with high
probability. A node has two different modes of movement: local
epoch and roaming epoch. In a local epoch, nodes mobility is
confined within its community. In a roaming epoch, a node is free
to move within the whole simulation area. A node switches between
epochs based on a two-state Markov chain model.
Fig. 9. Effect of number of groups on ANP (RPGM).
We use the following values in our simulations: four
communities, defined as an area covered by a circle with100 m
radius and center selected at random. NMP is200 seconds and CMP is
400 seconds. The probability of switching from local to roaming
epoch is pr 0:4, and, from roaming to localpl 0:7. Local epoch is
set to 200 seconds and roaming100 seconds.Fig. 8c shows the
simulation results. ANP is, on average, lower than that under RPGM
mainly because each node moves independently from others. However,
ANP is higher (by about 0.05-0.1) than in RWM. Nodes belonging to
the same community are more likely to select destinations that are
closer and are more likely to intersect.9 RELATED WORKSecure MANET
routing has been extensively studied in both security and
networking research communities. A comprehensive survey of this
work can be found in [24]. Prominent secure on-demand MANET routing
protocols include SRDP [30], Ariadne [25], and SEAD [23]. All of
them focus on securing route discovery, route maintenance and
defending against modification and fabrication of routing
information. Privacy, especially, tracking-resistance, is not one
of the goals of these protocols.A more relevant body of research
focused on proactiveanonymous MANET routing protocols, such as SPM
[42]. SPM is a modified link-state protocol that requires nodes
joining (and leaving) the MANET to report such events to super
nodes. Super nodes collect and distribute topology information and
also handle communication between different local MANETS. SPM
assumes that nodes periodically change their pseudonyms and that
they communicate based on instantaneous pseudonyms. SPM is thus
identity-based and requires nodes to be able to retrieve each
others public keys.Another related research direction tackles
anonymouson-demand MANET routing, e.g., SPAAR [13], AO2P [52], ASR
[58], MASK [57], ANODR [32], D-ANODR [55], ARM [45], ASRP [15], and
ODAR [49]. A brief survey comparing ANODR, ASR, and discussing
general anonymity and security issues in MANET routing protocols
can be found in [33]. Of the anonymous on-demand protocols, SPAAR
[13] and AO2P [52] require online location servers. ASR [58] and
ARM [45] assume that each authorized source- destination pair
preshares a unique symmetric key. AnonDSR [47], ASRP [15], EARP
[54], and ARMR [17] assume that each source-destination pair shares
some secret information, which could be the public key of
thedestination or a symmetric key. ANODR [32] assumes that the
source shares some secret with the destination for the construction
of a trapdoor, for example the destinations TESLA [41] secret key.
SDAR [8] assumes that the source knows the public key of the
destination obtained from a certification authority (CA), and ODAR
[49] requires an online public key distribution server. MASK [57]
and D-ANODR [55] contain the final destination in the clear in each
RREQ message. AMRSS [14] and ARMR [17] utilizes multiple paths for
routing. AMRSS [14] assumes that the entire network shares a pair
of public-private keys and that the destination ID will be
encrypted using such a key. AMRSS also includes the entire path
encrypted under the network key in each data message. In addition,
all aforementioned on-demand anonymous routing protocols assume
that nodes know the long term identities of the other nodes they
will communicate with, i.e., the commu- nication paradigm is
identity centric.Table 1 in Appendix A, which can be found on the
Com-puter Society Digital Library at http://doi.ieeecomputer
society.org/10.1109/TMC.2010.256, compares these schemes with ALARM
in more detail. The fundamental difference between ALARM and above
protocols is that ALARM is geared for location-centric
communication and does not assume any knowledge or existence of
persistent node addresses or IDs. ALARM also does not require any
online trusted parties or any preshared secret keys among MANET
nodes.PRISM [19] is another recent on-demand anonymous MANET
routing protocol. Like ALARM, PRISM uses loca- tion-based instead
of identity-based communication, and does not assume any long-term
node identifiers or public keys. Also, similar to ALARM, it
involves no preshared secrets or online servers. However, since it
is not proactive, topology discovery is done in a hit-and-miss
fashion. Despite their common use of group signatures, ALARM
differs markedly from PRISM. Since ALARM is a link-state protocol,
before attempting to communicate, nodes know the entire MANET
topology; therefore, precise destination addressing is used. In
contrast, in PRISM, a node has no a priori topology knowledge; it
has to first determine its geographical area of interest and probe
it with a route-request message (RREQ). Global knowledge of current
topology in ALARM makes it easier to contend with active insider
attacks.In parallel to our work on ALARM [18], [10] proposedusing
group signatures to construct pseudonyms in vehi- cular ad hoc
networks (VANETs). Compared to ALARM, [10] focuses only on VANETs.
ALARM is designed for more general MANET settings (VANETs are a
special type of MANETs) and takes into account active and passive
insider attacks. Schoch et al. [44] study the impact of frequently
changing pseudonyms on routing protocols. This is an important
issue, as it can significantly affect routing performance. ALARM
avoids this by adopting the same values for topology dissemination
periods as current MANET link-state routing protocol standards,
e.g., OLSR, as shown in our simulation results.10 CONCLUSIONSThis
paper presented the ALARM protocol, which supports anonymous
location-based routing in suspicious MANETS.
ALARM relies on group signatures to construct one-time
pseudonyms used to identify nodes at their present locations. The
protocol works with any group signature scheme and any
location-based forwarding mechanism. We evaluated the overhead and
scalability of ALARM and showed that it performs close to other
protocols (e.g., OLSR) optimized to reduce control traffic. We also
evaluated ALARMs tracking-resistance with different mobility models
via simulations. ALARM is a viable and practical approach to
routing in mission-critical location-based MAN- ETS where security
and privacy requirements must be reconciled and resistance to both
outsider and insider attacks is needed.REFERENCES[1] EU Cooperative
Vehicle-Infrastructure System Project, http://www.cvisproject.org,
2011.
[2] OpenSSL: The Open Source RToolkit for SSL/TLS, http://www.
openssl.org, 2011.
[3] OSPF with Digital Signatures, IETF RFC 2154,
http://www.ietf. org/rfc/rfc2154.txt, 1997.
[4] G. Ateniese and G. Tsudik, Some Open Issues and
NewDirections in Group Signatures, Proc. Third Intl Conf.
FinancialCryptography, Springer-Verlag, pp. 196-211, 1999.
[5] A Border Gateway Protocol 4 (BGP-4), IETF RFC 1771,
http://www.ietf.org/rfc/rfc1771.txt, 1995.
[6] D. Boneh, X. Boyen, and H. Shacham, Short Group
Signatures,Proc. 24th Intl Conf. Cryptology (CRYPTO 04), pp. 41-55,
2004.
[7] D. Boneh and H. Shacham, Group Signatures with
Verifier-localRevocation, Proc. ACM Conf. Computer and Comm.
Security (CCS
04), pp. 168-177, 2004.
[8] A. Boukerche, K. El-Khatib, L. Xua, and L. Korba, An
Efficient Secure Distributed Anonymous Routing Protocol for Mobile
and Wireless Ad Hoc Networks, Computer Comm., vol. 28, pp.
1193-
1203, 2005.
[9] E. Bacelli, C. Adjih, and P. Jacquet, Link State Routing in
WirelessAd-Hoc Networks, Proc. IEEE Conf. Military Comm., vol. 2,
2003. [10] G. Calandriello, P. Papadimitratos, J.-P. Hubaux, and A.
Lioy, Efficient and Robust Pseudonymous Authentication in
VANET,Proc. ACM Intl Workshop Vehicular Ad Hoc Networks (VANET
07),
pp. 19-28, Sept. 2007.
[11] T. Camp, J. Boleng, and V. Davies, A Survey of Mobility
Models for Ad Hoc Network Research, Wireless Comm. and Mobile
Computing, Special Issue on Mobile Ad Hoc Networking: Research,
Trends, and Applications, vol. 2, pp. 483-502, 2002.
[12] S. Canard and M. Girault, Implementing Group Signature
Schemes with Smart Cards, Proc. Fifth Smart Card Research and
Advanced Application Conf., pp. 1-1, 2002.
[13] S. Carter and A. Yasinsac, Secure Position Aided Ad Hoc
Routing, Proc. IASTED Intl Conf. Comm. and Computer Networks (CCN
02), pp. 329-334, 2002.
[14] S. Chen and M. Wu, Anonymous Multipath Routing Protocol
Based on Secret Sharing in Mobile Ad Hoc Networks, Proc. Intl Conf.
Measuring Technology and Mechatronics Automation (ICMTMA10), vol.
1, nos. 13/14, pp. 582-585, 2010.
[15] Y. Cheng and D. Agrawal, Distributed Anonymous Secure
Routing Protocol in Wireless Mobile Ad Hoc Networks, Proc.
OPNETWORK, 2005.
[16] W. Diffie and M. Hellman, New Directions in
Cryptography,IEEE Trans. Information Theory, vol. 22, no. 6, pp.
644-654, Nov.1976.
[17] Y. Dong, T. Wing Chim, V.O.K. Li, S.M. Yiu, and C.K. Hui,
ARMR: Anonymous Routing Protocol with Multiple Routes for
Communications in Mobile Ad Hoc Networks, Ad Hoc Networks, vol. 7,
no. 8, pp. 1536-1550, 2009.
[18] K. El Defrawy and G. Tsudik, ALARM: Anonymous Location-
Aided Routing in Suspicious MANETs, Proc. IEEE Intl Conf. Network
Protocols (ICNP 07), pp. 304-313, Oct. 2007.
[19] K. El Defrawy and G. Tsudik, PRISM: Privacy-Friendly
Routing in Suspicious MANETs (and VANETs), Proc. IEEE Intl Conf.
Network Protocols (ICNP 08), pp. 258-267, Oct. 2008.
1358 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 10, NO. 9,
SEPTEMBER 2011[20] N. Sadagopan Fan Bai and A. Helmy, IMPORTANT: A
Frame- work to Systematically Analyze the Impact of Mobility on
Performance of Routing Protocols for Adhoc Networks, Proc. IEEE
INFOCOM, vol. 2, pp. 825-835, 2003.
[21] T. Farley, P. McDaniel, and K. Butler, A Survey of BGP
SecurityIssues and Solutions, technical report, AT&T Labs -
Research,2004.
[22] X. Hong, M. Gerla, G. Pei, and C. Chinag, A Group Mobility
Model for Ad Hoc Wireless Networks, Proc. Second ACM Intl Workshop
Modeling, Analysis, and Simulation of Wireless and Mobile Systems
(MSWiM 99), pp. 53-60, 1999.
[23] Y.-C. Hu, D.B. Johnson, and A. Perrig, SEAD: Secure
Efficient Distance Vector Routing for Mobile Wireless Ad Hoc
Networks, Proc. Fourth IEEE Workshop Mobile Computing Systems and
Applica- tions, pp. 3-13, 2002.
[24] Y.-C. Hu and A. Perrig, A Survey of Secure Wireless Ad
HocRouting, IEEE Security and Privacy, vol. 2, no. 3, pp. 28-39,
2004.
[25] Y.-C. Hu, A. Perrig, and D.B. Johnson, Ariadne: A Secure
On- Demand Routing Protocol for Ad Hoc Networks, Wireless Networks,
vol. 11, nos. 1/2, pp. 21-38, 2005.
[26] L. Huang, K. Matsuura, H. Yamane, and K. Sezaki, Enhancing
Wireless Location Privacy Using Silent Period, Proc. IEEE Wireless
Comm. and Networking Conf., vol. 2, pp. 1187-1192, 2005.
[27] A. Ruhil, I. Stojmenovic, and D. Lobiyal, Voronoi Diagram
and Convex Hull Based Geocasting and Routing in Wireless Net-
works, Proc. Eighth IEEE Intl Symp. Computers and Comm. (ISCC
03), vol. 1, pp. 51-56, 2003.
[28] P. Jacquet, P. Muhlethaler, T. Clausen, A. Laouiti, A.
Qayyum, and L. Viennot, Optimized Link State Routing Protocol for
Ad Hoc Networks, pp. 62-68, 2001.
[29] W. jen Hsu, T. Spyropoulos, K. Psounis, and A. Helmy,
Modeling Time-Variant User Mobility in Wireless Mobile Networks,
pp. 758-766, May 2007.
[30] J. Kim and G. Tsudik, SRDP: Securing Route Discovery in
DSR,Proc. Mobiquitous, 2005.
[31] Y.-B. Ko and N.H. Vaidya, Location-Aided Routing (LAR) in
Mobile Ad Hoc Networks, Wireless Networks, vol. 6, no. 4, pp.
307-321, 2000.
[32] J. Kong and X. Hong, ANODR: Anonymous on Demand Routing
with Untraceable Routes for Mobile Ad-Hoc Networks, Proc. ACM
MobiHoc, pp. 291-302, 2003.
[33] E.H.J. Kumari and A. Kannammal, Privacy and Security on
Anonymous Routing Protocols in MANET, Proc. Computer and Electrical
Eng. (ICCEE 09), vol. 2, pp. 431-435, 2009.
[34] J. Kurose and K. Ross, Computer Networks: A Top Down
Approach Featuring the Internet, Computer Networking, Pearson
Education, 2005.
[35] W. Liao et al., GeoGRID: A Geocasting Protocol for Mobile
Ad Hoc Networks Based on GRID, J. Internet Technology, vol. 1, no.
2, 2000.
[36] A. Lysyanskaya, S. Micali, L. Reyzin, and H. Shacham,
Sequential Aggregate Signatures from Trapdoor Permutations, Proc.
Ad- vances in Cryptology (EUROCRYPT 04), pp. 74-90, 2004.
[37] S.L. Murphy and M.R. Badger, Digital Signature Protection
of the ospf Routing Protocol, Proc. IEEE Symp. Network and
Distributed System Security (SNDSS 96), p. 93, 1996.
[38] Nokia 6110 Navigator, http://europe.nokia.com/A4344146,
2011.
[39] Mobile Ad Hoc Network (MANET) Extension of OSPF, IETF RFC
5614, http://www.ietf.org/rfc/rfc5614.txt, 2009.
[40] R. Perlman, Network Layer Protocols with Byzantine Robust-
ness, PhD dissertation, Massachusetts Inst. of Technology,
http://www.vendian.org/mncharity/dir3/perlman_thesis, 1988.
[41] A. Perrig, R. Canetti, J.D. Tygar, and D. Song, The
TeslaBroadcast Authentication Protocol, RSA CryptoBytes, vol. 5,
2002.
[42] J. Ren, Y. Li, and T. Li, SPM: Source Privacy for Mobile Ad
HocNetworks, EURASIP J. Wireless Comm. Networks, vol. 2010, p.
5,
2010.
[43] R.L. Rivest, A. Shamir, and L. Adleman, A Method for
Obtaining Digital Signatures and Public-Key Cryptosystems, Comm.
ACM, vol. 21, no. 2, pp. 120-126, 1978.
[44] E. Schoch, F. Kargl, T. Leinmu ller, S. Schlott, and P.
Papadimi- tratos, Impact of Pseudonym Changes on Geographic Ad Hoc
Routing, Proc. Third European Workshop Security and Privacy in Ad
Hoc and Sensor Networks (ESAS 06), vol. 4357, pp. 43-57, 2006.
[45] S. Seys and B. Preneel, ARM: Anonymous Routing Protocol for
Mobile Ad Hoc Networks, Intl J. Wireless and Mobile Computing, vol.
3, no. 3, pp. 145-155, 2009.
[46] Simpy Simulator, http://simpy.sourceforge.net, 2010.
[47] R. Song, L. Korba, and G. Yee, AnonDSR: Efficient Anonymous
Dynamic Source Routing for Mobile Ad-Hoc Networks, Proc. Third ACM
Workshop Security of Ad Hoc and Sensor Networks (SASN05), pp.
33-42, 2005.
[48] L. Sweeney, k-Anonymity: A Model for Protecting Privacy,
Intl J. Uncertainty, Fuzziness and Knowledge-Based Systems, vol.
10, no. 5, pp. 557-570, Oct. 2002.
[49] D. Sy, R. Chen, and L. Bao, ODAR: On-Demand Anonymous
Routing in Ad Hoc Networks, Proc. IEEE Intl Conf. Mobile Ad Hoc and
Sensor Systems (MASS 06), pp. 267-276, Oct. 2006.
[50] H. Takagi and L. Kleinrock, Optimal Transmission Ranges for
Randomly Distributed Packet Radio Terminals, J. Wireless Net-
works, vol. 2, no. 4, pp. 329-342 Dec. 1996.
[51] G. Tsudik and S. Xu, A Flexible Framework for
SecretHandshakes, Proc. Privacy-Enhancing Technologies (PETs 06),
2006. [52] X. Wu and B. Bhargava, AO2P: Ad Hoc On-Demand Position-
Based Private Routing Protocol, IEEE Trans. Mobile Computing,vol.
4, no. 4, pp. 335-348, July/Aug. 2005.
[53] Internet X.509 Public Key Infrastructure Certificate and
CRL Profile, IETF RFC 2459,
http://www.ietf.org/rfc/rfc2459.txt,1999.
[54] H. Li, J. Ma, X. Li, and W. Zhang, An Efficient
AnonymousRouting Protocol for Mobile Ad Hoc Networks, Proc.
InformationAssurance and Security Conf. (IAS 09), pp. 287-290,
2009.
[55] L. Yang, M. Jakobsson, and S. Wetzel, Discount Anonymous on
Demand Routing for Mobile Ad Hoc Networks, Proc. SECURECOMM, vol.
28, pp. 1-10, Sept. 2006.
[56] C. Yu, K.G. Shin, and L. Song, Link-Layer Salvaging for
Making Routing Progress in Mobile Ad Hoc Networks, Proc. Sixth ACM
Intl Symp. Mobile Ad Hoc Networking and Computing, pp. 242-254,
2005.
[57] Y. Zhang, W. Liu, W. Lou, and Y. Fang, MASK: Anonymous On-
Demand Routing in Mobile Ad Hoc Networks, IEEE Trans. Wireless
Comm., vol. 5, no. 9, pp. 2376-2385, Sept. 2006.
[58] B. Zhu, Z. Wan, M.S. Kankanhalli, F. Bao, and R.H. Deng,
Anonymous Secure Routing in Mobile Ad-Hoc Networks, Proc.
29th Ann. IEEE Intl Conf. Local Computer Networks, pp. 102-108,
Nov. 2004.
Karim El Defrawy received the BSc and MSc degrees in electrical
engineering from Cairo University, Egypt, in 2003 and 2006. He re-
ceived the MSc and PhD degrees in networked systems from the
University of California, Irvine (UCI) in 2008 and 2010. His
research interests include security and privacy in wireless net-
works, peer-to-peer networks, mitigating large- scale attacks on
the Internet, and applied cryptography. He is a member of the
IEEE.Gene Tsudik received the PhD degree in computer science from
the University of South- ern California (USC) in 1991 for research
on firewalls and Internet access control. He is now a professor of
computer science at the University of California, Irvine (UCI),
where he serves as the director of the Secure Computing and
Network- ing Center (SCONCE) and vice-chair of the Computer Science
Department. Before coming to UCI in 2000, he was a project leader
at the IBM
Zurich Research Laboratory from 1991-1996 and at the USC
Information Science Institute from 1996-2000. In 2007, he was on
sabbatical at the University of Rome as a Fulbright Senior Scholar.
Over the years, hisresearch interests have included routing,
firewalls, authentication, mobile networks, secure e-commerce,
anonymity and privacy, group commu- nication, digital signatures,
key management, mobile ad hoc networks, and database privacy and
secure storage. Since 2009, he has been the editor-in-chief of the
ACM Transactions on Information and Systems Security (TISSEC). He
is a senior member of the IEEE.i
D
i
i
i
i
i
i
i i that
i
i
AB
x
A
A
B
0
we get M 1B which gives N
B
gsig
T ver
d
0
3
i
2
Kt
i
2 L2
K!
K!